User Profile

Neil2020

Copper Contributor

Joined Mar 07, 2019

8 Posts

View All Badges

User Widgets

Recent Discussions

Re: Playbooks not triggering automatically when an alert is generated
Pranesh1060 I'm having the exact same issue 5 months after this thread stopped, Open case with MS and they admit the Sentinel trigger does not work consistently, kind of critical in my view for a SIEM,
Apr 14, 2020 Place Microsoft Sentinel
9.1KViews
0likes
0Comments
Re: Audit-Failed Events not reaching Workspace
YanivSh Just to complete this thread when I raised a call with MS we eventually worked out there was an issue with the KQL query I was using, != instead of using EventID == 4625 so the events were there all along, Next issue is alerting on similar eventID's as they seem to be missing AlertSeverity field, Thanks, Neil
Apr 14, 2020 Place Microsoft Sentinel
2.5KViews
0likes
0Comments
Re: Audit-Failed Events not reaching Workspace
@Yaniv Shasha Also for clarity, I am receiving security events from both VM's, I am not getting Audit-Failed events, Thanks, Neil
Apr 13, 2020 Place Microsoft Sentinel
2.5KViews
0likes
2Comments
Re: Audit-Failed Events not reaching Workspace
YanivSh They are both on standard as per the pic? Not sure what your second question means, "please show how the sentinel security event collector define?" Pretty sure I showed it as first pic in my previous post: Thanks Neil
Apr 13, 2020 Place Microsoft Sentinel
2.5KViews
0likes
3Comments
Re: Audit-Failed Events not reaching Workspace
YanivSh see below screens: In ASC under Pricing and Settings I have the below options: I seem to have 1 machine residing in each: Sentinel Workspace configuration below: Although to clarify they are both appearing in ASC: Appreciate the guidance Thanks, Neil
Apr 13, 2020 Place Microsoft Sentinel
2.4KViews
0likes
5Comments
Audit-Failed Events not reaching Workspace
I have a test VM in Azure and one running on my home PC, Both have the MMA agent are are sending Security Events to Sentinel's Log Analytics Workspace via ASC connector configuration, Audi-Success events written to the security log on both machines are being sent to the Workspace but not Audit-Failure, eg: failed logon attempts to either machine, When I query for that EventID 4625 no results, (no syntax errors) I have tested clearing the Security log on both machines which produces an event in the workspace and I have an alert, also creating a new user and then adding them into loacla administrator group has expected results, What am I missing regarding Aufit-Failed events to have them flow through/from ASC to the Workspace? Diagnostic settings for the VM in Azure are set as below, although I have "All Events" configured Sentinel side via the connector: Any guidance would be appreciated before I raise another support ticket, Thanks, Neil
Solved
Apr 13, 2020 Place Microsoft Sentinel
2.7KViews
0likes
7Comments
Re: Sentinel alerts stopped running playbooks
AdiGrio Wow, still broken for me so raised a suport case, they have said it is being escalated so I will wait, Thanks for responding
Apr 08, 2020 Place Microsoft Sentinel
5.5KViews
0likes
3Comments
Re: Sentinel alerts stopped running playbooks
AdiGrio Having the exact same issues, has there been any progress? Tried the workaround you suggested but no success, Thanks Neil
Apr 07, 2020 Place Microsoft Sentinel
5.5KViews
0likes
5Comments

Recent Blog Articles

No content to show